From 5a1764acf7623ee04d8610793f418ab1d4e2226e Mon Sep 17 00:00:00 2001
From: Luke Hinds <lukehinds@gmail.com>
Date: Thu, 8 Dec 2016 12:46:40 +0000
Subject: Adds ability to populate SSH Banner text

A puppet manifest to allow the toggle of 'Banner' in sshd_config
and enable population of an SSH login banner needed for security
compliance such as DISA STIG

If `Bannertext` is set as a parameter, the `Banner` key within
sshd_config is toggled to `/etc/issue` and the content is copied
into the `/etc/issue` file

Change-Id: Ie9f8afdfa9930428f06c9669fedb460dc1064d5e
Closes-Bug: #1640306
---
 manifests/profile/base/sshd.pp | 61 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 manifests/profile/base/sshd.pp

(limited to 'manifests/profile/base/sshd.pp')

diff --git a/manifests/profile/base/sshd.pp b/manifests/profile/base/sshd.pp
new file mode 100644
index 0000000..e7916c1
--- /dev/null
+++ b/manifests/profile/base/sshd.pp
@@ -0,0 +1,61 @@
+# Copyright 2016 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::sshd
+#
+# SSH profile for tripleo
+#
+# === Parameters
+#
+# [*bannertext*]
+#   The text used within SSH Banner
+#   Defaults to hiera('BannerText')
+#
+class tripleo::profile::base::sshd (
+  $bannertext = hiera('BannerText', undef),
+) {
+
+  if $bannertext {
+    $action = 'set'
+  } else {
+    $action = 'rm'
+  }
+
+  package {'openssh-server':
+    ensure => installed,
+  }
+
+  augeas { 'sshd_config_banner':
+    context => '/files/etc/ssh/sshd_config',
+    changes => [ "${action} Banner /etc/issue"  ],
+    notify  => Service['sshd']
+  }
+
+  file { '/etc/issue':
+    ensure  => file,
+    backup  => false,
+    content => $bannertext,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0600'
+  }
+
+  service { 'sshd':
+    ensure    => 'running',
+    enable    => true,
+    hasstatus => false,
+    require   => Package['openssh-server'],
+  }
+}
-- 
cgit 1.2.3-korg